Use integrated identity information to create and manage identities and control access to enterprise resources. We provide identity and access management, single sign–on (SSO), access governance, and more.

Detect and respond to all potential threats quickly and decisively. By monitoring user activities, security events, and critical systems, we provide actionable security intelligence to reduce the risk of data breach.

Get affordable, high-performance disaster recovery. We protect your workloads and help you meet or exceed RPOs and RTOs of an hour or less, with mirroring-like performance at a price point approaching tape.

Kerberos Authentication against Multiple Domains

Make sure that the Kerberos service user account you have set up does not have “Use DES encryption types for this account” selected. If it is already selected, then you must unchecked it and reset the password. It is not possible for the same SPN/service user account to support both DES and RC4-HMAC security. It must be one or the other.

Make sure that the Kerberos service user account password is matching on both domains (PRIMARY.COM and OTHER.COM)

If you have multiple keytab files that need to be in one place, you can merge the keys with the ktutil command.

bcsLogin.conf:

Make sure configuration you do in bcsLogin.conf is required by the service to read the merged keytab information.

User Stores:

Add both the user stores (PRIMARY.COM and OTHER.COM) in the IDP cluster.

UPN Suffix:

UPN presented in the ticket to search for the user, and that the UPN suffix list would configure to accept different UPN suffixes.

Enter only the second domain in the UPN Suffixes, in our case it’s OTHER.com and add both the user stores in Kerberos Methods.

Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft:

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.

2 Comments

The keytab is generated for each domain. It works for each domain, but when I use the merge keytab, I receive the login screen in place.

I use nam 3.1.5, on which version have you tested this solution?

I have a misuderstanding with following:

Make sure that the Kerberos service user account you have set up does not have “Use DES encryption types for this account” selected. If it is already selected, then you must unchecked it and reset the password. It is not possible for the same SPN/service user account to support both DES and RC4-HMAC security. It must be one or the other.

and

Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft: